Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to remove or modify Confluence X-Frame-Options response header?

Dirk Brutscher
Dirk Brutscher November 5, 2015

Hi,

my current Confluence 5.8.15 / TomCat 8 instance seems to add a "X-Frame-Options: SAMEORIGIN" header to all responses. How can I disable or modify this behavior? (please no security discussion wink)

Answer
Watch
Like Morgan Yarbrough likes this
9711 views

2 answers

1 vote
Dirk Brutscher
Dirk Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 23, 2015

Hi,

behavior seems to be related with the option:

antiClickJackingEnabled c.f. https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html

Because I didn't want to change the default configuration, I rewrote my plugin to use JSONP instead of been loaded within an iframe.

Reply
0 votes
Jens Kasperek (
Jens Kasperek (Bosch GmbH) November 23, 2015

Same issue over here! Since we upgraded to Confluence 5.8.16 we experience an issue that all iFrame integrations do not work anymore. Additionally, we had multiple issues with the new sameorigin policy since we use a Tivoli Access Manager in front of our Tomcat.

View More Comments
Dieter Greiner
Dieter Greiner November 23, 2015

Jens, just saw on https://jira.atlassian.com/browse/CONF-29230 and from the source in SecurityHeadersInterceptor.java that -Dconfluence.clickjacking.protection.disable=true might help. Please try that, i haven't checked it yet

Like
Jens Kasperek (
Jens Kasperek (Bosch GmbH) January 13, 2016

We had this setting enabled on Confluence 5.8.16 which worked fine. Now, on Confluence 5.8.18 it does not work anymore. I could not find any information on this on the release notes of Confluence, which is very bad :(

Like
Carol Jones2
Carol Jones January 19, 2016

We are also experiencing this issue since upgrading Confluence to 5.8.18 and need to find a way for at least one space within our Confluence instance to be able to be viewed through an iframe.  Have either of you had any more luck with this?

Like
Jens Kasperek (
Jens Kasperek (Bosch GmbH) January 19, 2016

Hi Carol!

While we were able to resolve this on Conf 5.8.16 by adding a parameter to JAVA_OPTS on setenv.sh, we had to add this to CATALINA_OPTS on Conf 5.8.18. See:

#Click jacking protection disable
CATALINA_OPTS="${CATALINA_OPTS} -Dconfluence.clickjacking.protection.disable=true"

So, if you add this to setenv.sh, iframes will work again!

Like
Carol Jones2
Carol Jones January 19, 2016

Thanks for your quick reply, extremely appreciated!  This pointed me in exactly the direction I needed!

In case others need this, here's what I had to do since we are running on Windows using a Windows Service.

Open setting properties for Windows Services via Command Line (an example of how to do this is listed within the link below – remember we are now using tomcat8 instead of 7 when entering the command):

https://confluence.atlassian.com/jira/setting-properties-and-options-on-startup-120007.html#SettingPropertiesandOptionsonStartup-SettingPropertiesforWindowsServicesviaCommandLine

Within the Java Options, add the below line:

-Dconfluence.clickjacking.protection.disable=true
Like
Ajay Upadhyaya
Ajay Upadhyaya February 9, 2016

An alternate (to Java Options), if you have a web server in front of Tomcat, you can remove these two headers. e.g. in Apache/mod_headers/mod_jk kind of setup to connect Apache to Tomcat add following

<VirtualHost *:80>
        ServerName yourconfluence.yourdomain.com
        JkMount /* wconfl
        Header unset X-Frame-Options
        Header unset Content-Security-Policy
</VirtualHost>

Header unset should work in other places as well in apache config file, I guess.

 

Like
loxlay
loxlay May 27, 2020

Hi Ajay,
can you please explain what exactly the line “JkMount /* wconfl” is doing?
So far as I know “wconfl” is a worker for tomcat, right?
How is the file “workers.properties” defined, then?
Thanks loxlay

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events